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Abstract — The search for lightweight authentication protocols 
suitable for low-cost RFID tags constitutes an active and chal- 
lenging research area. In this context, a family of protocols based 
on the LPN problem has been proposed: the so-called HB-family. 
Despite the rich literature regarding the cryptanalysis of these 
protocols, there are no published results about the impact of fault 
analysis over them. The purpose of this paper is to fill this gap by 
presenting a fault analytic method against a prominent member 
of the HB-family: HB + protocol. We demonstrate that the fault 
analysis model can lead to a flexible and effective attack against 
HB-like protocols, posing a serious threat over them. 

Index Terms — Fault analysis, authentication protocols, HB + 
protocol, RFID systems. 

I. Introduction 

HB-family. Recently, radio frequency identification (RFID) 
systems have attracted substantial attention from the industry 
and the research communities. Since RFID tags are expected 
to replace traditional barcodes, they will become one of the 
most used devices in the near future. They present a wide col- 
lection of applications that include: supply chain management, 
warehouse inventory control, pet identification, secure passport 
systems, anticounterfeiting tags for pharmaceutical products, 
among others. 

Despite the benefits that could been brought by the use of 
RFID tags, some challenging issues emerge. The tag-reader 
communication occurs by means of a wireless link, what 
increases the system's vulnerability against passive and active 
adversaries. Additionally, RFID tags are highly constrained 
devices and do not have the processing, storage, power and 
communication resources necessary to implement standard 
authentication protocols. 

In order to provide lightweight authentication functionalities 
to RFID systems, Hopper and Blum [9| introduced the HB 
protocol, which was based on a well-known intractability 
assumption: the Learning Parity with Noise (LPN) problem. 
The LPN problem is NP complete and only involves the 
use of binary vectors and inner products, what makes it an 
appropriate choice for constrained devices. Later, Juels and 
Weis 1111 proved that HB was insecure against active adver- 
saries and proposed an improved version of the protocol: the 
HB + protocol. However, Gilbert et al. [8| demonstrated that 
HB + was vulnerable to a class of man-in-the-middle attacks 
known as GRS-MITM attacks. In pursuance of mitigating this 
vulnerability, subsequent variants have been proposed: HB ++ 
flU, HB* 0, and HB-MP (H). Unfortunately, neither of them 
succeeded. Their tolerance to GRS-MITM attacks is equivalent 
to that of HB + and they possess additional complexity and/or 

The authors are with the Department of Electrical Engineering, University 
of Brasilia, Campus Darcy Ribeiro, 70910-900, Brasilia, DF, Brazil, 
e-mail: {carrijo,tonicelli}@redes. unb.br, andclay@ene.unb.br 
Manuscript 



reduced practicality |7|. In 2008, Gilbert et al. presented 
their protocol version called HB#. This new variant solved 
many drawbacks of its predecessors. Among them: it is prov- 
ably secure against GRS-MITM attacks and presents a reduced 
communication cost. Although HB* represented an evolution 
in terms of efficiency and security, it was later shown that it 
is vulnerable to a more general man-in-the middle adversary 

in. 

As illustrated in the previous history line, the research 
community effort has been directed to mitigating active attacks 
based on a man-in-the-middle setting. Before proceeding fur- 
ther, it is relevant to discuss the practical feasibility of man-in- 
the-middle attacks against the HB-family. No implementation 
of such attacks on RFID systems has been reported in the 
literature yet as it apparently requires a sophisticated hardware 
device capable of capturing and modifying the tag-reader 
communications in real-time lfl4l . In this article, we offer an 
alternative approach: a simple and effective fault attack that 
can be applied to a wide collection of HB variants. In contrast 
to MITM attacks, our approach has already been demonstrated 
to be feasible in ifTOl . where implementations of fault analytic 
techniques over RFID tags have been made with low-cost 
equipment. 

Fault Analysis. Traditional cryptography often assumes that 
secrets are stored in tamper-proof locations. Under this con- 
ventional point of view, cryptographic systems are modeled as 
black boxes, i.e., as ideal mathematical objects. Nevertheless, 
cryptographic systems are implemented on physical devices, 
which present potential side channels not considered by the 
security models of theoretical cryptography. In this context, 
fault analysis came into the scene as an alternative approach 
on gathering secret data. 

Fault attacks are focused on attacking the physical imple- 
mentation of a given cryptosystem, rather than its algorithmic 
structure. A fault attack relies on the principle that the cryptan- 
alyst is allowed to manipulate the target device and induce it to 
abnormally operate, making it to output faulty results. These 
faulty results can later on be used by the cryptanalyst to derive 
secret information. Depending on the implementation, there 
are several fault induction techniques that can be deployed 
over the target device: exposing its surface to focused light 
beams, provoking variations in its power supply, exposing it 
to heat or radiation, inducing clock variations, among others. 

The introduction of fault analysis by Boneh et al. Q 
motivated an extensive research in the field. Since then, fault 
analysis has been successfully applied to disrupt standard 
symmetric [2| and asymmetric |Q] ciphers. But there are no 
such results for lightweight authentication protocols, which is 
the intended goal of the present work. 
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Contributions. This paper provides a fault analytic techniques 
against the HB + protocol. Our objective is to contribute to 
the specialized literature by offering an alternative perspective 
in the cryptanalysis of such protocols. The fault attack here 
proposed presents various advantages over other active attacks: 
(1) it does not require the eavesdropping of previous authen- 
tication procedures, (2) it can be easily adapted to disrupt 
other HB-variants, (3) technologically, it requires an affordable 
physical apparatus. Our fault analysis model assumes a great 
level of control over the cryptographic device. We leave as 
an open problem the design and application of a weaker fault 
analytic model. 

Organization. This paper is organized as follows. In section 
[n] we briefly review the protocol HB + . Section |TlT| details 



the fault analysis model here used. Section IV describes the 
attacks and section [V] presents some performance results. 

II. Description of the Protocols 

Assume that tag and reader communicate by means of 
a wireless insecure channel and share some piece of secret 
information. The HB + protocol is as follows: 

Protocol HB+ 



Symbol 


Meaning 


(x,y) 


k-bit secret key pair shared by tag and reader. 




a noise bit, such that Pr[vi = 1] = 7] £ ] 0, ^ [■ 


0, and 


bitwise XOR and inner product operations. 



and an adversarial structure answering randomly at each round 
may be accepted with probability Pfa (probability of false 
acceptance). For the HB + protocol, these probabilities are 
given below: 



P**= E 

i=7jr-\-l 



V i 0--V) r ~ i mdP FA = 



E 

i=0 



III. Fault Analysis Model 
A. Assumed Fault Analysis Assumptions 

At first, it is important to differentiate local fault injections 
from global fault injections. Local fault injections affect only 
specific regions of the device, while global fault injections 
affect the entire device. Thus, local fault-injection methods 
are more precise and can be directed to the specific device's 
regions that contain sensitive information. Our fault analytic 
model relies on local fault injections applied to the RFID tag. 

In such a fault analysis model, the adversary has physical 
access to the device and is allowed to run it for several times 
while provoking faults into chosen memory areas. Specifically, 
we consider that the adversary is able to apply bit flipping 
faults to either the RAM or the internal registers of the device. 
Besides that, he/she can arbitrarily reset the cryptographic 
device and later induce other randomly chosen faults into it. 

Our fault analysis assumptions are the following ones: 

• The adversary is allowed to change the content of chosen 
memory areas to specific values, or 1. 

• The adversary is able to run the authentication procedure 
as many times he/she needs. 

• The adversary knows precisely the time the faults are met. 



1) For i = 1 to r 

a) The reader chooses a random fc-bit string a^ E 
{0, l} k and sends it to the tag. 

b) The tag chooses a random /c-bit string G {0, l} fc 
and sends it to the reader. 

c) The tag computes Zj = a.; x © bi y © Vi. After 
computing z^, the tag sends it back to the reader. 

d) The reader computes z* = a^ x © b^ y and 
compares it to zi. 

2) The reader accepts the authentication as valid if z* ^ Zi 
in less than r/r rounds. 



Reader Seeret(x.y) Tag 

Select a, e„ {0, 1}* 

b, Select b, E„ {0, 1}* 

Choose V, E R {0, 1}, s.t. Pr[vi = 1] = rj 
Compute zi = a; x © bi y © Vi 



Accept iff |z; = a ; © x ffi b, y| > t times. 



Fig. 1. Description of the protocol HB + . 

A legitimate tag interacting with a legitimate reader may be 
rejected with probability Pfr (probability of false rejection), 



B. On the Possibility of Localized Fault Injections 

Since we assume a strong adversarial model, it is important 
to conjecture about the feasibility of the underlying attack. In 
this field, significant results have been achieved by Hutter et al. 
1 10], who offered a detailed analysis about the vulnerabilities 
of RFID tags to faults. 

As previously stated, we assume that the adversary is able 
to induce faults on specific parts of the device. In [101, the 
authors show that it is possible to perform localized fault 
injections on RFID tags by means of focused laser beams. 
Their local fault-injection techniques relied on an affordable 
physical apparatus: an optical microscope equipped with an 
integrated incident illumination device, and a laser diode 
mounted on the top of the microscope camera port. 

Remarkably, the authors report that the microscope provided 
the capability of exploring the device's internal structure very 
accurately. They describe that their method allowed them to 
interfere data, control lines, memory blocks and driver circuits. 

Thus, it is possible to conjecture that our fault analytic 
model, despite being strong, is not far away from reality. 

IV. Description of the Attack 

Our method consists of performing fault insertions into the 
device and trying to authenticate it on a legitimate reader. 
Based on the result of the authentication procedure, the crypt- 
analyst infers the actual value of the modified bit. The inherent 
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beauty of this attack resides in the fact that the adversary is not 
required to eavesdrop any previous authentication procedures. 

Let w denote the memory area that stores the binary string 
composed by the concatenation of the two secret keys, i.e., 
w = x||y, such that w G {0, l} 2fe . 

The procedure FLIP(w[i],b) changes the memory content 
of w[i] to the binary value b. 



Algorithm 1 FLIPi (w, i 
b, such that b G {0, 1}. 



Flip the i-th bit of the string w to 



Require: w such that w G {0, 1}™. 

Ensure: w, such that w[i] = b, and for all j ^ i, w[j] = w[j]. 

The function HBplus Authentic ation(v) denotes the process 
of trying to authenticate by using a 2k -binary string v. 
The function HBplusAuthentication(v) returns TRUE if the 
authentication procedure succeeds, or returns FALSE if the 
authentication procedure fails. 

Algorithm |2] describes the attack on HB + . 



Algorithm 2 BreakHBplus(w,q): 
secret keys x and y. 



Compute the two shared 



Require: Memory area w and parameter q G N*. 

Ensure: The secret key pair (x, y), such that (x, y) G 

{0, l} fe x {0, l} fc . The secret key pair is correctly discovered 

with high probability. 



are interested in two tasks: (1) quantifying the correlation 
between the key stored in the device and the key extracted 
by the attacker and (2) characterizing the level of information 
leaked by executing the underlying cryptanalytic method. 

Let X and Y be discrete random variables defined over 
finite alphabets X and y, respectively. The definitions are as 
follow: 

The entropy of X can be visualized as the amount of 
uncertainty contained in it and is given by: 

H(X) = - V P x (x)log 2 P x (x), where < H(X) < log 2 \X\. 



Loosely speaking, the equivocation of X given Y measures 
the amount of remaining uncertainty on X given that Y is 
known. Its definition is given next: 

H(X\Y) =-J2 Pxy{x, y) log 2 P x]Y (x, y), 



Where < H{X\Y) < H{X). 

The mutual information between X and Y measures the 
correlation between them and is defined as: 



7(X;r) = ^P X y(x,y) log 2 



x.y 



Pxy(x,y) 
Px{x)P Y (y) 



Where < I(X; Y) < H(X). 
Additionally, 

I(X;Y)=H(X)-H(X\Y). 



for i = 1 to 2k do 
FLIP(w[i],0) 
cont <— 
for j = 1 to q do 

if HBplusAuthentication(w) then 

counter 4— counter + 1 
end if 
end for 

if counter > q/2 then 
ExtractedKey[i] <- 
else 

ExtractedKey[i] <- 1 
FLIP(w[i],l) 
end if 
end for 



x <- ExtractedKey[l, ...,k] 
y <- ExtractedKey[/c + 1, . . 

return (x, y) 



,2k] 



V. Performance Results 

A. Information Theoretic Measures 

Prior to evaluating the effectiveness of the attack against 
the protocol HB + , we shall define some information theoretic 
quantities that will be useful in our analysis. Particularly, we 



B. Results 

Probability of Failure. 

In the first place, we shall calculate the probability of com- 
mitting an error when retrieving a single bit of a shared secret 
key. This probability of error can be trivially derived. 

Lemma 1: Let w G {0, l} 2k denote a uniformly distributed 
secret key stored in a RFID tag, and let G {0, l} 2fc denote 
the key guessed by an attacker who executes q queries to 
the device. The probability of error, i.e., the probability of 
retrieving the bit v/' q [i] = b when the actual bit is w[i] = b, is 
given by: 



E 

= L<?/2J- 



1 



Where p = Pr (wi[i] ^ w[*]) = ^(Pfa + Pfr)- 

Proof: Initially, we obtain the probability of error when 
one single query (q = 1) is executed by the attacker. 

p = Pr ( W H = 6 ) • Pr W [*] = s l w w = h ) 

be{o,i} 

= \ (y'i[i\ = 1 |w[t] = 0) + l - ■ Pr (w'Ji] = |w[i] 

. Pr(w' x [i] = 1 |w[«] = 0). 

In this case, the adversary injects a zero into the position 
w[i]. Consequently, the attacker's action did not alter the 
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value of the stored secret key and the tag remains valid. 
An error occurs if the reader rejects the tag. 

Pr(w' x [i] = 1 \w[{\ = Q) = P FR 

. Pr(wi[i] = \vr[i] = 1). 

After the fault injection, the value of the stored secret key 
is modified, and the tag is no longer valid. Consequently, 
the reader is expected to reject the tag. An error occurs 
if the reader authenticates the tag. 

Pr(wi[i] = 1 \w[i]=0)=P FA 

Therefore, p = ^{Pfa + Pfr)- 

In the next step we calculate the probability of error when an 
arbitrary number q of queries is executed, which is given by: 



P e (q) = 



E 

= L?/2J- 



Figure [2] shows the graphic of p = f(rj, r). We may conclude 
that the more reliable is the authentication procedure, the 
more reliable is the fault analytic method. Furthermore, it is 
easily observable that P e (q) asymptotically goes to zero for 
sufficiently large q. ■ 




0,0 
0,0 



Noise level 



Number of rounds 



Fig. 2. Probability of error as a function of r] (the noise level) and r (number 
of rounds). 

Information Leakage. 

We analyze the effectiveness of the attack by using the 



definitions in section V-A We also empirically demonstrate 
that P e (q) approaches zero for a sufficiently large number of 
queries. 

One can see that the process of extracting one isolated bit of 
the secret key is analogous to the process of transmitting a sin- 
gle bit over a binary symmetric channel (BSC) with crossover 
probability p(r), r). Let h(p) — ~p\ogp — (1 — p) log(l — p) 
denote the binary entropy function, for the specific case where 
the key is uniformly distributed, we have that H(w[i 
h(P e (q)) and / (w[ 8 ];w',[i]) = 1 - h(P e (q)). 



We can observe that H(v/[i] \w' q [i\) — > and 
/ (w[i];W^[i]J — !• 1 for sufficiently large q. This is illustrated 
in the next tables. 

Furthermore, we should point out that the underlying attack 
requires the injection of 2k faults and the realization of 
2kq authentication procedures. Thus it presents a linear time 
complexity 0(k). 



Q 


Pe(q) 


ff(w[i] KH) 


J(w[i] jwJW) 


7 


0.0289 


0.2943 


0.8111 


11 


0.0094 


0.1888 


0.9227 


17 


0.0019 


0.772 


0.9800 


19 


0.0011 


0.0199 


0.9873 



TABLE I 

Results for parameters r) = 0.125, r = 40, p(0.125, 40) = 0.1919. 



9 


Pe(q) 


H(w[i] KH) 


7(w[i] 


7 


0.0384 


0.2348 


0.7651 


11 


0.0143 


0.1080 


0.8919 


17 


0.0035 


0.0334 


0.9666 


19 


0.0022 


0.0225 


0.9775 



TABLE II 

Results for parameters ?j = 0.125, r 



: 80, p(0.125,80) = 0.2084. 



q 


Pe(q) 


H(w[»] KM) 


7(w[i] jwJW) 


i 


0.0462 


0.2702 


0.7298 


n 


0.0187 


0.1341 


0.8656 


17 


0.0051 


0.0465 


0.9535 


19 


0.0033 


0.0326 


0.9674 



TABLE III 

Results for parameters rj = 0.25, r ■ 



: 80, p(0.25,i 



0.2201. 
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